This setting affects how a Windows computer handles NTLM authentication both as a client and as an authenticating server.
The default level of (3) for current OS's allows Domain Controllers to be compatible with old clients going back to Windows 2000.
LMCompatibilityLevel: |
0 |
1 |
2 |
3 |
4 |
5 |
|
|---|---|---|---|---|---|---|---|
| Clients Receive: | LM | Yes |
Yes |
No | No |
No |
No |
| NTLM | Yes |
Yes |
Yes |
No | No | No | |
| NTLMv2 | No | Negotiated | Negotiated | Yes + Session Security |
Yes + Session Security | Yes + Session Security |
|
| DCs accept: | LM | Yes |
Yes | Yes | Yes | No | No |
| NTLM | Yes |
Yes |
Yes |
Yes |
Yes |
No | |
| NTLMv2 | Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
|
This level is the default for these OS's: |
Windows 2000/XP |
Windows 2003 |
Windows 7 / 2008 and above. |
Best practices are dependent on your specific security and authentication requirements.
If LMCompatibilityLevel on a server is increased to 4 or 5 for better security, any Windows XP/2000 user who tries to authenticate will experience a logon failure that has a bad password and increments the bad password count. If account lock-out is configured, the user will eventually be locked out.
Increasing the LMCompatibilityLevelabove 3 on a client will make no difference, but it can be lowered if there is a need to communicate with very old servers.
The NTLM version (0-5) is stored in the registry (as a DWORD):
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\LMCompatibilityLevel
or it can be set in the local Security policy (secpol.msc)
under: Local policies\Security Options\Network Security: LAN Manager Authentication level
“When a deep injury is done us, we never recover until we forgive” ~ Alan Paton
Related:
LAN Manager authentication level - Docs.Microsoft.com
NTLM authentication - The most misunderstood Windows security setting of all time by Jesper Johansson.
NTLM protocol - In depth detail of the protocol and related Security Support Provider (SSP ) - Eric Glass.